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What is claimed is: 



1 LA method of configuring a network security system, comprising: 

2 a. forming a registry data structure for defining roles within a 

3 network; 

4 b. mapping network security policies to the registry data structure, 

5 said network security policies being contained in one or more policy documents 

6 stored in machine readable form; and 

7 c. using a document transformation algorithm to transform the policy 

8 documents into one or more device-specific configuration documents stored in 

9 machine-readable form. 

1 2. The method according to claim 1 , further comprising generating instances 

2 of the roles and associated security policies, each instance being mapped to 

3 physical segments of the network. 

1 3 . The method according to claim 1 , further comprising distributing the 

2 device-specific configuration documents to network entities for implementing the 

3 network security policies. 

1 4. The method according to claim 1, wherein the registry data structure 

2 comprises a collection of documents that include information regarding the 

3 network roles and topology of the network. 

1 5 . The method according to claim 1 , wherein the registry data structure 

2 comprises a hierarchy of network types, each type comprising a definition of a 

3 network role. 

1 6. The method according to claim 5, wherein each network role is 

2 representative of a set of applications to be supported by the network. 
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1 7. The method according to claim 5, wherein when a parent network type is 

2 mapped to a policy contained in one of the policy documents, a child network 

3 type of the parent network type inherits the policy. 

1 8. The method according to claim 7, wherein when the child network type is 

2 mapped to a policy contained in one of the policy documents that is conflict with 

3 the policy inherited from the parent, the policy mapped to the child takes 

4 precedence over the policy inherited from the parent. 

1 9. The method according to claim 5, wherein an instance of one of the 

2 network types is mapped to one or more physical network segments and wherein 

3 the network type includes a set of data fields for defining the physical network 

4 segments. 

1 10. The method according to claim 6, wherein one of the network types is an 

2 abstract type without an instance mapped to a physical network segment. 

1 11. The method according to claim 5, wherein each network type further 

2 comprises a data field for identifying a human administrator. 

1 12. The method according to claim 5, wherein each network type further 

2 comprises a data field for providing a human readable description of the network 

3 type. 

1 13. The method according to claim 1 , wherein the network security policies 

2 are representative of restrictions to be placed on one or more of the network roles 

3 in the registry data structure. 

1 14. The method according to claim 1 , wherein the policy documents are in 

2 extensible markup language (XML). 
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1 15. The method according to claim 1 , wherein the document transformation 

2 algorithm is specific to a network entity utilized for implementing one or more of 

3 the security policies contained in the policy documents. 

1 16. The method according to claim 15, wherein the document transformation 

2 algorithm includes style sheet language for transformation (XSLT) controlled by a 

3 script. 

1 17. The method according to claim 16, wherein the script is specific to a 

2 network entity. 

1 18. The method according to claim 16, further comprising a step of selecting 

2 the script from among a plurality of scripts, each being specific to a different 

3 network entity. 

1 19. The method according to claim 16, wherein the device-specific 

2 configuration documents are in plain text format. 

1 20. A apparatus for configuring a network security system, comprising: 

2 a. a registry data structure including a plurality of network types, 

3 each network type being stored within a document in the registry and including a 

4 role definition and a set of fields defining segments of a network; 

5 b. security policy documents mapped to the registry data structure, 

6 each security policy document being representative of restrictions to be placed on 

7 a network type in the registry data structure; and 

8 c. a document transformation algorithm for transforming the 

9 documents in the registry and the policy documents into device-specific 
10 configuration documents stored in machine-readable form. 
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